Cert Expire next week need help to renew

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

My certificate is going to expire next week. Would you be able to help renew?

Well, not if you remove almost all of the questionnaire. Those questions, or the answers to them actually, are supposed to help us to help you.

Sorry, what info do you need?
I added a snapshot with the cert info and domain.

The answers to all the other questions from the questionnaire would be helpful. I understand if you don't know the answer to (some of) them, but it would also be helpful to know that. If you remove all the questions entirely, we don't know anything.

Yes, the domain is almost always necessary, thank you.

I can see your certificate issued at that date indeed:

https://crt.sh/?q=smartpathauth.di-metal.net&deduplicate=y

However, I also see a more recent certificate issued one week ago. The question is: why isn't that in use?

So below is the questionnaire which I've modified slightly so it fits more the situation we're in:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: smartpathauth.di-metal.net

I ran this command or I followed these steps when I got my certificates the first time:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Do we use certbot for cert renewal?

That's not something we can answer directly, you should have that information. But first please answer the questions to the questionnaire first.

My box is Linux Ubantu 4.0
Yes, I can ssh to box
Not sure why we arent using the latest cert. im a bit confuse how we use encrypt vs certbob? can you help get my new cert up?

Okay, I think I got it. We use Cerbot to renew our certificate. We get our certificate from "letsencrypt". Sound about right? I just needed some help renewing the cert. Can you help?

What's the output of the following command:

sudo certbot certificates

Found the following certs:
Certificate Name: smartpathauth.di-metal.net
Domains: smartpathauth.di-metal.net
Expiry Date: 2021-08-26 01:53:40+00:00 (VALID: 82 days)

I'm going to assume that certbot is a service that automatically grabs certs from your site and puts them in our box. Correct?

My website shows a cert that expires June 26th..

Certbot is a tool using the "ACME protocol" which can manage the validation of your hostname, get a certificate from the ACME server and, if requested, can install the certificate in two of the most commonly used webservers.

It seems your certbot program has actually managed to renew your certificate, but your webserver isn't using it.

Unfortunately, you still didn't answer all the questions from the questionnaire I explicitely requested. So I don't know which webserver you're using..

web server https://smartpathauth.di-metal.net/

Please tell me what other info you need. so it sounds like the new cert is allready in our webserver and we need to apply it, right?

No, that's the URL of your website, the two commonly used webservers on Linux systems are Apache or nginx. On the Windows platform it's mostly IIS.

It's on the computer, yes, in the directory from certbot. But the webserver software is still using the older certificate. It might be as simple as reloading your webserver software to make it load the new certificate.

Sorry, we use Apache tomcat

You might try to reload your Apache Tomcat.. I must say, I don't have any experience with Apache Tomcat, so I also don't know how certificates are installed/configured in it. If reloading doesn't work, you might need to wait until someone else comes along with more experience with Tomcat.

Sometimes Tomcat is tricky because it traditionally uses a format for certificates called JKS. Certbot outputs PEM files, not JKS files, so you normally need to convert the PEM files to JKS format. (The renewed certificate is a new PEM file with different contents, and requires this conversion to be repeated.)

The conversion is usually done with the openssl program; if you search this forum for "jks" or similar terms, you can find threads that explain how to do this.

Apparently newer versions of Tomcat often can also use PEM files, depending on how they're configured, in which case this isn't the issue. @hector643, if you or someone else manually created a JKS file, you'll probably need to recreate it.

Certbot can be configured to run a designated command whenever it renews a certificate—normally using the --deploy-hook Certbot option. If you do have a need to regenerate JKS files, and you find a correct command to do it, you could then specify that command to Certbot with --deploy-hook so that Certbot will do this automatically for you upon future renewals.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.